From 255b78ff5291cef79978b025c9872f801de89e23 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Mon, 4 Jun 2018 18:49:28 +0200 Subject: git: update to v2.18.0 Update to git version v2.18.0. Required changes follow upstream commits: * Convert find_unique_abbrev* to struct object_id (aab9583f7b5ea5463eb3f653a0b4ecac7539dc94) * sha1_file: convert read_sha1_file to struct object_id (b4f5aca40e6f77cbabcbf4ff003c3cf30a1830c8) * sha1_file: convert sha1_object_info* to object_id (abef9020e3df87c441c9a3a95f592fce5fa49bb9) * object-store: move packed_git and packed_git_mru to object store (a80d72db2a73174b3f22142eb2014b33696fd795) * treewide: rename tree to maybe_tree (891435d55da80ca3654b19834481205be6bdfe33) The changed data types required some of our own functions to be converted to struct object_id: ls_item print_dir print_dir_entry print_object single_tree_cb walk_tree write_tree_link And finally we use new upstream functions that were added for struct object_id: hashcpy -> oidcpy sha1_to_hex -> oid_to_hex Signed-off-by: Christian Hesse Reviewed-by: John Keeping --- ui-clone.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'ui-clone.c') diff --git a/ui-clone.c b/ui-clone.c index bc98980..2c1ac3d 100644 --- a/ui-clone.c +++ b/ui-clone.c @@ -12,6 +12,7 @@ #include "html.h" #include "ui-shared.h" #include "packfile.h" +#include "object-store.h" static int print_ref_info(const char *refname, const struct object_id *oid, int flags, void *cb_data) @@ -38,8 +39,8 @@ static void print_pack_info(void) ctx.page.mimetype = "text/plain"; ctx.page.filename = "objects/info/packs"; cgit_print_http_headers(); - prepare_packed_git(); - for (pack = packed_git; pack; pack = pack->next) { + reprepare_packed_git(the_repository); + for (pack = get_packed_git(the_repository); pack; pack = pack->next) { if (pack->pack_local) { offset = strrchr(pack->pack_name, '/'); if (offset && offset[1] != '\0') -- cgit v1.2.3-24-g4f1b From 53efaf30b50f095cad8c160488c74bba3e3b2680 Mon Sep 17 00:00:00 2001 From: "Jason A. Donenfeld" Date: Fri, 3 Aug 2018 15:46:11 +0200 Subject: clone: fix directory traversal This was introduced in the initial version of this code, way back when in 2008. $ curl http://127.0.0.1/cgit/repo/objects/?path=../../../../../../../../../etc/passwd root:x:0:0:root:/root:/bin/sh ... Signed-off-by: Jason A. Donenfeld Reported-by: Jann Horn --- ui-clone.c | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) (limited to 'ui-clone.c') diff --git a/ui-clone.c b/ui-clone.c index 2c1ac3d..6ba8f36 100644 --- a/ui-clone.c +++ b/ui-clone.c @@ -92,17 +92,32 @@ void cgit_clone_info(void) void cgit_clone_objects(void) { - if (!ctx.qry.path) { - cgit_print_error_page(400, "Bad request", "Bad request"); - return; - } + char *p; + + if (!ctx.qry.path) + goto err; if (!strcmp(ctx.qry.path, "info/packs")) { print_pack_info(); return; } + /* Avoid directory traversal by forbidding "..", but also work around + * other funny business by just specifying a fairly strict format. For + * example, now we don't have to stress out about the Cygwin port. + */ + for (p = ctx.qry.path; *p; ++p) { + if (*p == '.' && *(p + 1) == '.') + goto err; + if (!isalnum(*p) && *p != '/' && *p != '.' && *p != '-') + goto err; + } + send_file(git_path("objects/%s", ctx.qry.path)); + return; + +err: + cgit_print_error_page(400, "Bad request", "Bad request"); } void cgit_clone_head(void) -- cgit v1.2.3-24-g4f1b